Service accounts cannot invite attendees without Domain-Wide Delegation of Authority
I see the error and searched lot but no solution was useful for me and I still see the error.
I don't have any issue on creating an event with service account but can't invite any user
I already added my client id in the Security > Access and data control > API Controls.
In the Domain wide delegation pane, Manage Domain Wide Delegation.
No changes I see
I already followed these steps and no changes applied.
From your Google Workspace domain’s Admin console, go to Main menu menu > Security > Access and data control > API Controls.
In the Domain wide delegation pane, select Manage Domain Wide Delegation.
Click Add new.
In the Client ID field, enter the service account’s Client ID. You can find your service account’s client ID in the Service accounts page.
In the OAuth scopes (comma-delimited) field, enter the list of scopes that your application should be granted access to. For example, if your application needs domain-wide full access to the Google Calendar API, enter:
https://www.googleapis.com/auth/calendar
Click Authorize.
Related
Is it possible using a service account to add events in the user's calendar ?
For example given a internal email (in our workspace), could we add an event for this user ?
We have a configured service account with Domain-wide Delegation, we are able to list users, create new one etc. But we would like to access their calendar to add new events.
Is it possible to achieve ?
Edit
We do not want our user to use a OAuth2 consent screen, we want to do it smoothly without them to need to interact.
If you set up domain wide deligation for the service account to a user on your domain.
Then yes the service account will be able to act on behalf of that user and add an event in their calendar.
Service accounts have their consent preconfigured so no consent screen will be shown.
I am able to create an event in Google Calendar using Service account and Google Calendar API, where Project and Service Account is created in Google Workspace admin account and in the same account, I have enabled domain-wide delegation property. I haven't created separate calendar and haven't given access to Service account. If I use my workspace-google account in createDelegated(), with this event is getting created in 'abc#myworkspace.com' calendar and 'created by' property is also the same for every attendee I have added.
GoogleCredentials googleCredentials = GoogleCredentials
.fromStream(new FileInputStream(CREDENTIALS_FILE_PATH)).createScoped(SCOPES)
.createDelegated("abc#myworkspace.com");
So my question is what if I need to create event for non-workspace google account(lets say def#gmail.com)
Can I pass 'def#gmail.com' into the createDelegated()? If I do, I am getting,
Error getting access token for service account: 400 Bad Request
So how to create event for non-workspace google account?
Note : App type is still 'Internal' in OAuth consent screen.
Could someone explain what am I missing here?
A service account with domain-wide delegation can only be used for domains
A Google Workspace account is a domain, a personal consumer account is not a domain.
Consequently, you can not perform a request on behalf of a consumer account user via a service account.
Instead, you would need to create the event directly as def#gmail.com similar to the documentation sample.
No you can only delgate to an account on your domain
createDelegated("abc#myworkspace.com");
You can not delgate to a standard google account as there would be no way for you to configure the permissions
perform-google-workspace-domain-wide-delegation-of-authority
Perform Google Workspace Domain-Wide Delegation of Authority
Note: Only users with access to the Admin APIs can access the Admin SDK Directory API, therefore your service account needs to impersonate one of those users to access the Admin SDK Directory API. Additionally, the user must have logged in at least once and accepted the Google Workspace Terms of Service.
Owner vs attendee.
A service account properly delegated. Will have permission to create an event on behalf of a user in the domain that they have been delegated permission.
Example: I have delegated permission to my service account to user User1#myDomain.com. For all intensive purposed the service account now has all permissions of User1. So the service account can create a new event on behalf of user1 and invite anyone to the event they choose.
As there is no way to set up deligation to user2#gmail.com there is no way for the service account to act like this user as it is a standard gmail user.
The only way for an application to create an event on behalf of user2#gmail.com would be to use Oauth2 and request consent of User2#gmail.com to access their private data. Then the application would be able to create a new event on behalf of User2#gmail.com.
Remember this is creating an event. There is nothing stopping the service account delegated as user1#mydomain.com from inviting user2#gmail.com to the event. user2#gmail.com will then be notified that they have been invited to the event they can then decide if they want to attend or not if they accept it then it will appear in their google calendar account. Notice how user2#gmail.com had to manually accept this. User1#mydomain.com did not have to manually accept that the event was created in their google calendar as the service account was acting on their behalf.
I'm working on one school app. I'm able to create events using google calender API with NodeJS. I created the clientID and secretID on the school google account. Every time event is created, only the admin has access to start the meeting. But I want teachers(who are creating the event) to be the organizer. How can I achieve this?
The organizer field of an event is a read-only field. You can use the move action to move the event and change the organizer but this can only be done if the authenticated user has write access to the destination calendar.
A solution would be to use a service account and perform domain wide delegation. In this way you will be able to impersonate the user in question and organize the event wanted.
According to the Service accounts documentation:
A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls.
As for performing domain-wide delegation, you might want to take a look into this:
In enterprise applications you may want to programmatically access users data without any manual authorization on their part. In G Suite domains, the domain administrator can grant to third party applications domain-wide access to its users' data — this is referred as domain-wide delegation of authority. To delegate authority this way, domain administrators can use service accounts with OAuth 2.0.
Reference
Calendar API - Events:move;
Service Accounts;
Calendar API - Perform G Suite Domain-Wide Delegation of Authority;
Using OAuth 2.0 for Server to Server Applications.
I have a service account created through the Google developer console specifically for API access to Google Drive to retrieve documents. However recently I have changed my G-suite Google Drive settings to have the security restriction that documents can only be shared outside of my organization to whitelisted domains rather than it being wide-open for sharing purposes.
Prior to this security setting change everything was working fine having my service account access documents it has specifically been granted access to. However after the change when viewing the sharing settings on a file that it previously had access to it now says the account cannot be granted access as the policy set prohibits the sharing of items to this user as its not in a compatible whitelisted domain.
I did try whitelisting gserviceaccount.com within my G-suite admin console but this still brought no luck.
Anyone else have a similar issue? Any good solution?
Thanks!
You may want to complete the following steps given in Delegating domain-wide authority to the service account:
Go to your G Suite domain’s Admin console.
Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. If you can't see the controls, make sure you're signed in as an administrator for the domain.
Select Show more and then Advanced settings from the list of options.
Select Manage API client access in the Authentication section.
In the Client Name field enter the service account's Client ID. You can find your service account's client ID in the Service accounts page.
In the One or More API Scopes field enter the list of scopes that your application should be granted access to. For example, if your application needs domain-wide access to the Google Drive API and the Google Calendar API, enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.
Click Authorize.
This will give authority to your app to make application calls as users in your domain. However, please note on this:
Although you can use service accounts in applications that run from a G Suite domain, service accounts are not members of your G Suite account and aren’t subject to domain policies set by G Suite administrators. For example, a policy set in the G Suite admin console to restrict the ability of G Suite end users to share documents outside of the domain would not apply to service accounts.
See Perform G Suite Domain-Wide Delegation of Authority for more information.
I have an app using s2s connection with google calendar api. I need to create an event in different users calendars. To make it possible the user should go to the calendar's settings and share their calendar to the service account.
But I would like to simplify this for the user - so that they don't need to go to their calendar settings. I don't have an interface for the user interaction - it's a bot.
How can I access the user's calendar in another way?
Maybe you can change the role set by the user to the calendar. According to this documentation, the owners of a calendar can share the calendar by giving access to other users. The sharing settings of a given calendar are represented by the ACL collection (access control list) of that calendar. Each resource in the ACL collection grants a specified grantee a certain access role. So the user can make you the writer or owner of their calendar, so that you can access it.
Another way is by using Delegating domain-wide authority to the service account,
If you have a Google Apps domain—if you use Google Apps for Work, for
example—an administrator of the Google Apps domain can authorize an
application to access user data on behalf of users in the Google Apps
domain. For example, an application that uses the Google Calendar API
to add events to the calendars of all users in a Google Apps domain
would use a service account to access the Google Calendar API on
behalf of users. Authorizing a service account to access data on
behalf of users in a domain is sometimes referred to as "delegating
domain-wide authority" to a service account